topic Re: ASA show access-list in Network Security

ASA show access-list

ring zer0 — Mon, 07 Oct 2019 13:38:39 GMT

Using OS Code: 9.10(1)27

When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.

Which syntax can help solve the issue?

Example:

access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2

Want to get rid of line 2,3,5,6 in the output.

Re: ASA show access-list

Seb Rupik — Mon, 07 Oct 2019 13:35:00 GMT

Hi there,

If you don't want the ACL expansion, why not just use sh run | inc access-list

cheers,

Seb.

Re: ASA show access-list

ring zer0 — Mon, 07 Oct 2019 13:40:41 GMT

2 Reasons
1 ) I want to filter out all ACLs with DNS and when I tried "sh run | incl access-list | incl domain" it does not work as expected.
2 ) I also want to see hit counts on ACLs which "show run" does not shows.

Re: ASA show access-list

Seb Rupik — Mon, 07 Oct 2019 13:56:59 GMT

After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.

You could try sh run access-list | inc domain

Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:

^\s{2}access-list

...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?

cheers,

Seb.

Re: ASA show access-list

ring zer0 — Mon, 07 Oct 2019 14:01:28 GMT

That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.

Re: ASA show access-list

Seb Rupik — Mon, 07 Oct 2019 14:17:15 GMT

You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:

grep -v '^\s\saccess-list' acl_input.txt  > acl_output.txt

acl_input.txt would contain:

access-list foobar line 1 ext permit object-group FOO …
  access-list foobar line 1 ext permit 192.168.1.1 …
  access-list foobar line 1 ext permit 192.168.1.2 …

..the resulting output (acl_output.txt) would contain just:

access-list foobar line 1 ext permit object-group FOO …

I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.

cheers,

Seb.

Re: ASA show access-list

cosmic — Wed, 18 May 2022 14:25:48 GMT

I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion.

I have discovered a way to see the hitcounts, without the expansion. Because the lines of the expansion are indented two spaces. you can use the following command to just see the non-expansion lines:

show access-list | exclude . access-list

Note, that is 'show access-list | ex (dot)(space)access-list'. I suspect regex gurus may have a cleaner way to do this, but it works.

This does not inherently match your example, as also excluding lines with 'domain' might be tricky.

Hope this helps.

Re: ASA show access-list

jilse-iph — Tue, 13 Aug 2024 23:35:46 GMT

"sh run | inc access-list" is nott necessary, you may also use "sh run access-list". Youma also restrict the outputt toone access-list, if you add tthe access-listname to the command: "sh run access-list FROM_INSIDE". If you also want to see tthhe sequence numbers and tthe matches for every access-list entry, you can try "show access-list FROM-INSIDE | inc ^a", because that will show only the "unexpanded" lines (the "expanded" lines for each access-list entry begin with a blank character and will not match the regular expression "^a", so they will not be included in the output).

Re: ASA show access-list

jilse-iph — Tue, 13 Aug 2024 23:47:02 GMT

You can not use "| include" more than once in a single command. But you may try

"sh run | incl access-list .* domain" which will include all lines in the output, that match "access-list " followed by any string followed by "domain". The argument for "include" is not a fixed string but a regular expression, and in regular expressions ""." matches any single character and ".*" an sequence of 0 or more characters.

Re: ASA show access-list

jilse-iph — Tue, 13 Aug 2024 23:55:17 GMT

"I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion."

Bur there is such a command. If you look carefull on te output of "show access-list", you may notice, that the "expaned lines" areprefixed with a space. If you want to see only the access-list with hitcounts but witout the expansions, you can use "show access-list | include ^a" (wihch will not include lines beginning wwit a space).